The kernel crypto API offers a rich set of cryptographic ciphers as well
as other data transformation mechanisms and methods to invoke these.
This document contains a description of the API and provides example
code.

To understand and properly use the kernel crypto API a brief explanation
of its structure is given. Based on the architecture, the API can be
separated into different components. Following the architecture
specification, hints to developers of ciphers are provided. Pointers to
the API function call documentation are given at the end.

The kernel crypto API refers to all algorithms as “transformations”.
Therefore, a cipher handle variable usually has the name “tfm”. Besides
cryptographic operations, the kernel crypto API also knows compression
transformations and handles them the same way as ciphers.

The kernel crypto API serves the following entity types:

consumers requesting cryptographic services

data transformation implementations (typically ciphers) that can be
called by consumers using the kernel crypto API

This specification is intended for consumers of the kernel crypto API as
well as for developers implementing ciphers. This API specification,
however, does not discuss all API calls available to data transformation
implementations (i.e. implementations of ciphers and other
transformations (such as CRC or even compression algorithms) that can
register with the kernel crypto API).

Note: The terms “transformation” and cipher algorithm are used
interchangeably.

The transformation implementation is an actual code or interface to
hardware which implements a certain transformation with precisely
defined behavior.

The transformation object (TFM) is an instance of a transformation
implementation. There can be multiple transformation objects associated
with a single transformation implementation. Each of those
transformation objects is held by a crypto API consumer or another
transformation. Transformation object is allocated when a crypto API
consumer requests a transformation implementation. The consumer is then
provided with a structure, which contains a transformation object (TFM).

The structure that contains transformation objects may also be referred
to as a “cipher handle”. Such a cipher handle is always subject to the
following phases that are reflected in the API calls applicable to such
a cipher handle:

Initialization of a cipher handle.

Execution of all intended cipher operations applicable for the handle
where the cipher handle must be furnished to every API call.

Destruction of a cipher handle.

When using the initialization API calls, a cipher handle is created and
returned to the consumer. Therefore, please refer to all initialization
API calls that refer to the data structure type a consumer is expected
to receive and subsequently to use. The initialization API calls have
all the same naming conventions of crypto_alloc*.

The transformation context is private data associated with the
transformation object.